When the worm is executed it copies itself to the following locations:
Then it replaces all .VBS files from the following directories with
Then it replaces both "script.ini" and "mirc.ini" files from the "c:\mirc"
directory. When another user joins to the same IRC channel where the
infected user is, the worm will send itself. The message it sends looks
Hi. (server) (port) (ip address) (os) (time) (date) (channel name) it's
been (time) since my last reboot! Mil0.4b
and it sends the file, "MyPicture.bmp.vbs".
Then the worm adds the following registry key:
This will execute the worm on the next reboot.
After that the worm creates a text file, "c:\Millennium.NFO" that
contains the text below:
Millennium 0.4b - mIRC/vBS
Fear the Millennium
At December 31st, the payload activates showing a message box:
Happy New Year!
and changing the registered owner to "Millennium 0.4b", the registered
organization to "uNF" and the product name to "Winblows 2000".
Then it replaces the "autoexec.bat". When the system is restarted, it
shows a message:
Your Computer is NOT Y2K Complient!
Sorry For this Inconvenience
Finally this variant drops several files ("fix.txt", "fix.hex",
"fix.bat", "lcoder.hex" and "short.src") to the current directory.
Then the worm executes the "fix.bat" file.
The FIX.BAT file is a batch file that uses the standard DEBUG.EXE
utility to create a binary from the Assembly source code file
SHORT.SRC. Then the created SHORT.COM file is run. This file
decodes the LOADER.HEX file into a binary LOADER.EXE. Then the
LOADER.EXE is run and it processes the FIX.TXT file that instructs
it to decode FIX.HEX into a binary FIX.EXE. Then the FIX.EXE is run
and all dropped files are deleted.
The FIX.EXE file is a backdoor server (a hacker's remote access
tool) called 'the tHing v1.6'. The backdoor's executable is
compressed with an UPX file compressor. After being run the backdoor
installs itself to system - it copies itself as EXPLOR.EXE into
Windows directory and modifies SYSTEM.INI file so that it will be run
during each Windows session. The backdoor adds its execution string
after the 'shell=explorer.exe' tag.
When the backdoor is activated, it notifies its author about victim's
presence on-line using a WWPMsg.dll library. The 'Victim is ONLINE'
message is sent. Then the backdoor provides a limited access to the
infected system for a hacker who has a compatible client part of this
backdoor. It should be noted that the backdoor server is
password-protected so it will accept connection only from a client
that has the correct password.